XIVD: Runtime detection of XPath injection vulnerabilities in XML databases through aspect oriented programming

Abstract

The growing acceptance of XML technologies for documents and protocols, it is logical that security should be integrated with XML solutions. In a web application, an improper user input is root cause for a wide variety of attacks. XML Path or XPath language is used for querying information from the nodes of an XML document. XPath Injection is an attack technique used to exploit applications that construct XPath (XML Path Language) queries from user-supplied input to query or navigate XML documents such as SQL in Databases. Hence, we proposed an approach to detect XPath injection attack in XML databases at runtime through Aspect Oriented Programming (AOP). Our approach intercept XPath expression i.e.) XQuery from the web application through Aspect Oriented Programming (AOP) and parse the XQuery expression to find the inputs to be placed in the expression. The identified inputs are used to design an XML file and it would be validated through a proposed schema. The validation results the correctness of the XQuery. © 2011 Springer-Verlag.